New security requirements issued for credit card payments on mobile devices

Check out this new post from my colleague, Sue Ross, covering new standards for mobile device credit card payments, including at retail stores. The Payment Card Industry (PCI) Security Standards Council recently announced the new standards, which apply to PIN entry transactions on smartphones and tablets used at point-of-sale. The post is published in Norton Rose Fulbright’s Data Protection Report.

CPSC finalizes phthalate rule that may cause headaches for imports

The U.S. Consumer Product Safety Commission has finally published its Final Rule on phthalates. CPSC first proposed the rule nearly three years ago, and its publication brings to eight the number of phthalates included in CPSC’s consumer product safety standard for children’s toys and child care articles.

The rule is effective April 25, 2018 – but in a move that is likely to have serious implications for importers of record, it applies to children’s toys and child care articles domestically manufactured or imported on or after that date, regardless of date of manufacture. These products will need to be tested for all eight phthalates by a third party CPSC-approved testing lab and certified as compliant by the manufacturer or importer of record. Importers of record will need to consider how to approach certification if they import products with significant gaps between time of manufacture overseas and importation.

What changed?

The current version of Section 108 prohibits the phthalates DEHP, DBP, and BBP in concentrations above 0.1 percent (1,000 parts per million) in children’s toys and child care articles. CPSIA defines a children’s toy as “a consumer product designed or intended by the manufacturer for a child who is 12 years old or younger for use by the child when the child plays.” It defines a child care article as “a consumer product designed or intended by the manufacturer to facilitate sleep or the feeding of children age 3 and younger, or to help such children with sucking or teething.”

The Final Rule now also restricts the following five phthalates to 1,000 ppm:

  • DINP
  • DIBP
  • DCHP

Import disaster

With regard to the issue of import date, in its rulemaking file, CPSC stated that it “expects that the rule will require minimal changes for manufacturers and testing laboratories. Therefore 180 days from publication in the Federal Register should be sufficient time for the rule to take effect.”  On the contrary, we expect CPSC and CBP will have a mess on their hands in April.

Proposition 65 Listed Chemical update

Here is the latest roundup of Proposition 65 chemical issues looming on the horizon for consumer products. Reminder: warnings are required 12 months after the listing effective date, assuming that there is an exposure, and the exposure exceeds the level that requires a warning:

Listed effective Oct. 27, 2017:

  • N,N-Dimethylformamide (DMF), CAS No. 68-12-2, used in leather tanning, production of plastics and acrylic fibers, and manufacture of adhesives, synthetic leathers, and surface coatings.
  • 2-Mercaptobenzothiazole (MBT), CAS No. 149-30-4, used in vulcanization of rubber and dopamine beta-hydroxylase inhibition, and used for antibacterial and antifungal purposes.
  • Tetrabromobisphenol A (TBBPA), CAS No. 79-94-7, used as a reactive flame retardant to produce a bromine-containing epoxy resin and polycarbonate, an intermediate for synthesis of other complex flame retardants, and an additive flame retardant for ABS, HIPS, unsaturated polyester rigid polyurethane foams, adhesives and coatings.

Listed effective Nov. 10, 2017:

  • Perfluorooctanoic acid (PFOA), CAS No. 335-67-1, surfactant used in a variety of consumer products, including carpets, textiles, leather, non-stick cookware, and paper coatings used in food packaging, to confer stain, grease and water resistance; PFOA is used in the production of fluorpolymers.
  • Perfluorooctane sulfonate (PFOS), CAS No. 1763-23-1, surfactant used in a variety of consumer products, including carpets, textiles, leather, non-stick cookware, and paper coatings used in food packaging, to confer stain, grease and water resistance.


California enacts law requiring cleaning product ingredient disclosures

California has enacted Senate Bill 258, the “Cleaning Products Right to Know Act of 2017.” SB 258 requires cleaning product manufacturers to disclose the ingredients of their products to consumers. The bill is a victory for disclosure advocates after many failed attempts at a California “right-to-know.” The first disclosure requirements take effect for products manufactured on and after January 1, 2020.

Disclosure Requirements

SB 258 requires ingredient disclosure in two ways – online disclosures and product labeling. Manufacturers must comply with both requirements, although the compliance dates are phased in.

Online disclosures

Manufacturers of cleaning products sold in California must post the following information on their websites for each product:

  • A list of “intentionally added” ingredients in the product;
  • A list of all “nonfunctional constituents” present in the designated product at a concentration at or above 0.01 percent (100 parts per million);
  • The Chemical Abstracts Service (CAS) chemical identification number for all listed chemicals;
  • The functional purpose served by each intentionally added ingredient;
  • Hyperlinks to government information websites for chemicals, such as the Office of Environmental Health Hazard Assessment Proposition 65 consumer information website; and
  • A hyperlink to the Safety Data Sheet (SDS) for each product.

An “intentionally added” ingredient is a chemical that a manufacturer has added to a designated product that has a functional or technical effect. “Nonfunctional constituents” are “incidental component[s] of an intentionally added ingredient, a breakdown product of an intentionally added ingredient, or a byproduct of the manufacturing process that has no functional or technical effect on the designated product.”

This requirement applies to designated products sold in California on or after January 1, 2020, unless they are manufactured prior to that date and are marked with the manufacture date (date codes are permissible). In addition, designated chemicals appearing on the California Proposition 65 list do not need to be listed on the website until January 1, 2023.

Product labeling

Manufacturers of cleaning products sold in California must also include on the label for each product:

  • A list of “intentionally added” ingredients in the product that are currently listed on any of a number of well-known lists of designated toxins, carcinogens, chemicals of high concern, etc.; and
  • The manufacturer’s toll-free telephone number and internet web site address.

The Act specifically identifies 23 chemical lists, including:

  • California Proposition 65;
  • Washington Department of Ecology’s PBT chemicals;
  • Chemicals included in the EU Candidate List of Substances of Very High Concern (SVHC); and
  • Carcinogens identified by the International Agency for Research on Cancer (IARC).

The labeling requirement does not apply to contaminants, in contrast to the online disclosure requirement.

If a manufacturer cannot list all of the required information on the label, it must provide a statement directing consumers to a web address or toll free number for complete ingredient information. Manufacturers may also provide information via developing consumer information technology, such as QR codes or other electronic links.

Who must comply?

SB 258 applies to “manufacturers” of “designated products.”

A “manufacturer” is a “person or entity who manufactures the designated product and whose name appears on the product label” or a “person or entity who the product is manufactured for or distributed by, as identified on the product label under to the federal Fair Packaging and Labeling Act.”

A “designated product” is a “finished product that is an air care product, automotive product, general cleaning product, or a polish or floor maintenance product used primarily for janitorial, domestic, or institutional cleaning purposes.”


SB 258 does not apply to:

  • Foods, drugs, and cosmetics, including personal care items such as toothpaste, shampoo, and hand soap;
  • Industrial products manufactured for and exclusively used in:
    • Oil and gas production.
    • Steel production.
    • Heavy industry manufacturing.
    • Industrial water treatment.
    • Industrial textile maintenance and processing other than industrial laundering.
    • Food and beverage processing and packaging.
    • Other industrial manufacturing processes.

Exceptions for “Confidential Business Information”

The Act provides some slight exceptions for “confidential business information,” but does not permit CBI claims to cover a chemical ingredient appearing on any of the designated lists of chemicals identified as causing harm to human health or the environment and certain fragrance allergens. Beyond those designated list chemicals, an ingredient may be protected as CBI if it is “a claim [that] has been approved by the United States Environmental Protection Agency (US EPA) for inclusion on the Toxic Substances Control Act (TSCA) Confidential Inventory, or for which the manufacturer or its suppliers claim protection under the Uniform Trade Secrets Act.” The CBI provisions are complex and should be consulted in detail when assessing compliance approaches to the Act.

Requirements for Employers

SB 258 also adds a requirement for employers to make the ingredient information listed on a manufacturer’s website available to employees in the workplace if the employer is already required to make safety data sheets/SDS readily accessible employees.


SB 258 does included a specific enforcement provision, and more general enforcement provisions in the Health and Safety Code appear to be inapplicable. At a minimum, we could see the Attorney General or district or city attorneys enforcing violations under California’s Unfair Competition Law, but we will be on the lookout for more guidance from the state on enforcement.


Oregon children’s product reporting instructions and portal go live

With less than three months to go before the first biennial reporting deadline, the Oregon Health Authority has opened its reporting portal and issued instructions for reporting under the Oregon Toxic Free Kids Act. The Act requires manufacturers (or importers into the state) to report the existence of “High Priority Chemicals of Concern for Children’s Health” (HPCCCH) contained in children’s products offered for sale in Oregon, if the HPCCCH are intentionally added above de minimis levels or are present as contaminants above 100 parts per million. The first reporting deadline is January 1, 2018, for all covered products sold offered for sale or sold in the state in 2017.

Manufacturers are “any person that produces a children’s product or an importer or domestic distributor of a children’s product.” An importer is “the owner of the children’s product.”

“Children’s products” are:

(A) Any of the following products that are made for, marketed for use by or marketed to children under 12 years of age:

(i) A product designed or intended by the manufacturer to facilitate sucking, teething, sleep, relaxation, feeding or drinking.

(ii) Children’s clothing and footwear.

(iii) Car seats.

(iv) Children’s cosmetics.

(v) Children’s jewelry.

(vi) Toys.

The Act specifically exempts a number of products, ranging from athletic shoes with cleats/spikes to bicycles to scooters.

The reporting form and required information appear to track closely to the Washington Children’s Safe Products Act. Key differences are that:

  • Reporting entities must pay a $250 fee for each HPCCCH reported, regardless of how many different products contain that HPCCCH; and
  • There is NO exception for inaccessible components.

To report, a manufacturer/importer must first fill out a “Notice Template” identifying:

  • Manufacturer/importer
  • Product brick
  • Component name
  • Chemical name and CAS number of each HPCCCH
  • Concentration range
  • Chemical function
  • Target age
  • Number of bricks sold in Oregon in 2017; and
  • Number of bricks offered for sale in Oregon in 2017.

The Notice Template is a downloadable spreadsheet.

Second, the manufacturer/importer must submit the appropriate fee amount (by check or credit/debit) to the OHA (as noted above, each HPCCCH requires a $250 payment, regardless of how many product bricks contain that HPCCCH).

Finally, the manufacturer/importer must go to the OHA reporting portal to upload and submit the completed Notice Template and payment receipt ID.

California Governor signs Proposition 65 amendment

Updating our prior post, California Governor Jerry Brown has signed the Proposition 65 amendment bill. As of January 1, 2018, Proposition 65’s certificate of merit requirements will be amended to:

  • Require the Attorney General to send a letter to the private enforcer and the recipients of the 60-day notice when the Attorney General has reviewed the certificate of merit and determined that there is no merit to an action;
  • Make the basis for the certificate of merit discoverable in litigation, to the extent that the information is relevant to the subject matter of the action and not subject to the attorney-client privilege, the attorney work product privilege, or any other legal privilege.

You can read more about the bill here.

California legislature seeks to clarify Prop 65 certificate of merit discovery rules

The California Legislature has done something it’s found exceedingly difficult to do since Proposition 65’s adoption by ballot initiative 31 years ago: amend the law.

For only the third time since 1986, the Legislature has made substantive revisions to Prop 65 that focus on the private enforcement mechanism.

Since 2001, private enforcers who serve a pre-suit notice alleging a violation of Prop 65’s warning requirement must include with the notice a “certificate of merit.” The certificate must recite that the enforcer:

has consulted with one or more persons with relevant and appropriate experience or expertise who has reviewed facts, studies, or other data regarding the exposure to the listed chemical that is the subject of the action, and that, based on that information, the person executing the certificate believes there is a reasonable and meritorious case for the private action.

Private enforcers must also attach “factual information sufficient to establish the basis of the certificate of merit” to the copy of the certificate served on the California Attorney General, but need not provide it to the noticed company. This factual information is generally not discoverable in litigation, unless the court finds that there was no credible basis for an exposure to a listed chemical after an in camera hearing, in which the noticed company does not get to see the information.

On September 14, 2017, the Legislature amended the certificate of merit provisions and sent AB 1583 to Governor Brown for signature. AB 1583 would do two things:

  • Require the Attorney General to send a letter to the private enforcer and the recipients of the 60-day notice when the Attorney General has reviewed the certificate of merit and determined that there is no merit to an action;
  • Make the basis for the certificate of merit discoverable in litigation, to the extent that the information is relevant to the subject matter of the action and not subject to the attorney-client privilege, the attorney work product privilege, or any other legal privilege.

The first revision codifies the Attorney General’s current practice of sending letters when his office determines that an action has no merit, although it is not clear how the Attorney General currently reaches such determinations, and whether this will have an impact going forward.

The second revision address ambiguity in the current statute, which provides that the factual basis of a certificate of merit is not discoverable, unless it is relevant to the subject matter and otherwise discoverable. This confusing language—nothing is discoverable unless it is relevant to the subject matter of the litigation—resulted in many private plaintiffs taking the position that the basis of the certificate of merit was never discoverable, forcing defendants seeking such information to try to pierce the privilege and what appeared to be a presumption of non-discoverability.

Under the amendment, defendants would have a prima facie right to seek discovery of the factual basis for the certificate, and the burden would be on the private enforcer to justify any privilege or work product objections, as is the case with any other assertion of privilege.

AB 1583 is widely supported by the business community and had no recorded opposition. The Governor is expected to sign it, and assuming he does, it would become effective on January 1, 2018. As was the case after the adoption of SB 471 in 2001, there may be litigation over the retroactive application of the amendment to notices served prior to its effective date (the 2001 amendments were deemed retroactively applicable procedural rules, and there is every reason to believe that this amendment will be treated similarly).

CPSC removes seven plastic types from CPSIA third party testing for phthalates

In an effort to reduce the burdens of compliance with the U.S. Consumer Product Safety Improvement Act, the U.S. Consumer Product Safety Commission has voted to remove seven types of plastics (containing specified additives) from the CPSIA’s mandatory third party testing requirement for phthalates in children’s toys and child care articles.  The Commission determined that the following types of plastics with specified additives do not contain regulated phthalates above the 1,000 parts per million limit in the CPSIA:

  • polypropylene (PP)
  • polyethylene (PE)
  • high-impact polystyrene (HIPS)
  • acrylonitrile butadiene styrene (ABS)
  • general-purpose polystyrene (GPPS)
  • medium-impact polystyrene (MIPS)
  • super-high-impact polystyrene (SHIPS)

The applicable lists of specified additives in each type of plastic can be found in the draft final rule until the final rule is published in the Federal Register.

New Jersey passes new drivers license swipe law

In enacting the Personal Information and Privacy Protection Act (S-1913), New Jersey joins a growing minority of states with so-called “swipe laws.” New Jersey’s law generally aligns with swipe laws in the approximately one-third of other states with such laws, limiting the purposes and type of information a retailer may scan and retain from identification cards. However, New Jersey goes a step further than most in specifying data storage requirements and requiring notification directly to the consumer when ID information is compromised.

Permissible uses

As of October 1, 2017, retailers will only be permitted to scan customers’ drivers’ licenses or other identification cards for specific purposes and can only collect certain data from those scans.

Retailers may scan ID cards to:

  • verify authenticity of the card
  • verify identity of the person if the person does not pay with cash, returns an item, or requests a refund or exchange
  • verify a customer’s age when buying age-restricted goods or services
  • prevent fraud or other criminal activity if the person returns an item or requests a refund or an exchange and the business uses a fraud prevention service company or system.

Additional permitted uses pertain to retailers’ state and federal reporting requirements, including transmitting information to a consumer reporting agency, financial institution or debt collector under the various federal credit statutes, and to an entity as permitted under HIPAA.

Limits on data

When scanning, retailers may only collect the person’s name, address, date of birth, the state issuing the identification card, and the identification card number.

The legislation also imposes new restrictions on the retention, storage, and dissemination of information gathered through ID scans. Retailers are prohibited from retaining customer information when a customer pays with a method other than cash, returns an item or requests a refund or exchange, or when purchasing age-restricted goods or services. For any permitted retention of identification card data, retailers are required to “securely store” this data and report any security breaches to the Division of State Police in the Department of Law and Public Safety, as well as notify “any affected person.” Retailers are further barred from selling or disseminating this information for any purpose, including marketing and advertising. Retailers that violate the law face fines as well as the potential for lawsuits brought by “any person aggrieved by a violation.”